RBAC Capability Matrix
Sprint 76 (F88) introduces org-scoped RBAC backed by the org_role table. Five roles, hard-gated on 12 sensitive write routes. This doc is the canonical source for "what role can do what."
Roles
| Role | Intended persona |
|---|---|
admin | Customer security owner / tenant admin. |
security_lead | AppSec or DevSecOps lead. |
analyst | Hands-on triage analyst. |
viewer | Read-only stakeholder (exec / auditor). |
auditor | Read-only with audit-log access. |
The first user in an org is auto-promoted to admin via DB trigger; everyone else defaults to analyst on join.
Capability matrix
| Capability | viewer | auditor | analyst | security_lead | admin |
|---|---|---|---|---|---|
| Read issues / attack paths | Y | Y | Y | Y | Y |
| Read audit log | Y | Y | Y | Y | |
| Acknowledge issue | Y | Y | Y | ||
| Close critical issue | Y | Y | |||
| Apply attack-path remediation | Y | Y | |||
| Tune watchlists | Y | Y | Y | ||
| Tune framework mappings / AIL threshold | Y | Y | |||
| Rotate signing / API key / webhook | Y | ||||
| Agentgateway config | Y | ||||
| Reveal webhook secret | Y | ||||
| Change RBAC grants | Y | ||||
| Download compliance evidence bundle | Jiffy staff only |
Retrofit routes (Sprint 76 coverage)
The 12 canonical sensitive write routes in the codebase, their method(s), and the role(s) that are permitted:
| # | Route | Method(s) | Permitted roles |
|---|---|---|---|
| 1 | /api/settings/api-keys | POST | admin |
| 2 | /api/settings/api-keys/[id]/rotate | POST | admin |
| 3 | /api/settings/api-keys/[id] | DELETE | admin |
| 4 | /api/settings/webhooks | POST | admin, security_lead |
| 5 | /api/settings/webhooks/[id] | DELETE | admin, security_lead |
| 6 | /api/settings/webhooks/[id]/reveal-secret | POST | admin |
| 7 | /api/admin/signing-keys | POST (create/rotate) | Jiffy staff (implicit admin) |
| 8 | /api/admin/signing-keys/[id]/revoke | POST | Jiffy staff (implicit admin) |
| 9 | /api/v1/critical-issues/[id]/acknowledge | POST | admin, security_lead, analyst |
| 10 | /api/v1/critical-issues/[id]/close | POST | admin, security_lead |
| 11 | /api/settings/policy/ail-threshold | PUT | admin, security_lead |
| 12 | /api/settings/watchlists | POST, DELETE | admin, security_lead, analyst |
| 13 | /api/settings/frameworks | PUT | admin, security_lead |
| 14 | /api/settings/agentgateway | POST | admin |
(The signing-keys pair is split across rows 7-8 for readability; the canonical count per the Sprint 76 contract is "12 sensitive write routes" — signing-keys counts as one.)
Enforcement mechanics
web/src/lib/auth/rbac.ts— canonicalrequireOrgRole(role | role[])helper.web/scripts/check-rbac-retrofit.ts— CI gate asserts every retrofit route calls one ofrequireOrgRole/adminGate/requireJiffyStaff.audit-coveragegate (Sprint 32) continues to enforce that every retrofit route emits alogAudit()call on success.
Attack-path remediation application is gated at the template layer; when that endpoint ships, it joins this table without requiring a doc revision.